On the following page you will find a picture of how the ITIL framework is structured around the various Service Lifecycles.
You can use this illustration as a guide while you read through the rest of the document where we give you a summary of each of the processes and function in each book of the ITIL Framework. SHAPE \* MERGEFORMAT ITIL Service Management Courses After reading this beginners guide you may wish to attend formal ITIL Service Management certification course.
When you attend a course, the course trainer will typically present the course subject (ITIL Service Management Practices) through slides, discussions and exercises.
The exercises are generally based on a case study. The Fact sheets give an overview per process on the goal, activities and results. This syllabus gives some more information on ITIL Service Management Practices to prepare the course participant for the ITIL Service Management Practices Foundation exam.
It provides some additional reading material, internet-links and evidence of ITSM implementations. When provided with the course material the itSMF booklet provides a summarised overview of the ITIL processes with concise descriptions and diagrams. IT Service Management — Implementing ITIL Service Management Practices Introduction ITIL Service Management Practice is something that impacts the entire IT organization.
Implementation of end-to-end processes can have a big impact on the way things are done and can initiate a lot of uncertainty and resistance with staff. For these reasons, it is important to implement ITIL Service Management Practices with a step-by-step and steady approach. The following model is an example of such an approach. SHAPE \* MERGEFORMAT Developing ITIL processes is a fairly easy job to do! Making sure everybody understands the processes and uses them is more difficult and requires serious planning. It is advisable to use a project management approach to ITIL Service Management implementation and stay focused on the clearly defined end results (many different Project Management methodologies exist.
The trademark owners of ITIL (the OGC) publish a widely used Project Management methodology, called PRINCE2 (Projects in Controlled Environments). Cultural change A small part percentage of the implementation project will be about process design.
Most of the challenge lies in cultural change and personal motivation of staff to use the end-to-end processes as the better way to do business. Any change leads to feelings of vulnerability and loss of control.
These feelings generally manifest themselves through feelings of resistance.
The most important thing in this stage of the ITIL implementation is to keep the focus on the reason why your organization needs ITIL Service Management in the first place. Implementation Checklist DO’s: Perform a feasibility study first Use what is already good in the organization Take it slowly and concentrate on small steps and quick wins Appoint a strong project manager with end-to-end focus to drive this implementation program Keep in mind that you are dealing with personal issues Keep communicating WHY your organization needs this — Security Management comes under the umbrella of Information Security, which aims to ensure the safety of information.
Safety refers to not being vulnerable to known risks, and avoiding unknown risks where possible.
The tool to provide this is security.
The aim is to protect the value of the information.
This value depends on confidentiality, integrity and availability. Confidentiality: protecting information against unauthorized access and use. Integrity: accuracy, completeness and timeliness of the information. Availability: the information should be accessible at any agreed time. This depends on the continuity provided by the information processing systems. Secondary aspects include privacy (confidentiality and integrity of information relating to individuals), anonymity, and verifiability (being able to verify that the information is used correctly and that the security measures are effective). Objectives In recent decades, almost all businesses have become more dependent on information systems.
The use of computer networks has also grown, not only within businesses but also between them, and between businesses and the world outside. The increasing complexity of IT infrastructure means that businesses are now more vulnerable to technical failures, human error, intentional human acts, hackers and crackers, computer viruses, etc. This growing complexity requires a unified management approach.
Security Management has important ties with other processes.
Other ITIL processes, under the supervision of Security Management, carry out some security activities. Security Management has two objectives: To meet the security requirements of the SLAs and other external requirements further to contracts, legislation and externally imposed policies. To provide a basic level of security, independent of external requirements Security Management is essential to maintaining the uninterrupted operation of the IT organization. It also helps to simplify Information Security Service Level Management, as it is much more difficult to manage a large number of different SLAs than a limited number. The process input is provided by the SLAs, which specify security requirements, possibly supplemented by policy documents and other external requirements.
The process also receives information about relevant security issues in other processes, such as security incidents.
The output includes information about the achieved implementation of the SLAs, including exception reports and routine security planning. At present, many organizations deal with Information Security at the strategic level in information policy and information plans and at the operational level by purchasing tools and other security products.
Insufficient attention is given to the active management of Information Security, the continuous analysis and translation of policies into technical options, and ensuring that the security measures continue to be effective when the requirements and environment change.
The consequence of this missing link is that, at the tactical management level, significant investments are made in measures that are no longer relevant, at a time when new, more effective measures ought to be taken.
Security Management aims to ensure that effective Information Security measures are taken at the strategic, tactical and operational levels. Benefits Information Security is not a goal in itself; it aims to serve the interests of the business or organization.
Some information and information services will be more important to the organization than others.
Information Security must be appropriate to the importance of the information.
Striking a balance between security measures and the value of the information, and threats in the processing environment develops tailor-made security. An effective information supply, with adequate Information Security is important to an organization for two reasons: Internal reasons: an organization can only operate effectively if correct and complete information is available when required.
The level of Information Security should be appropriate for this. External reasons: the processes in an organization create products and services, which are made available to the market or society, to meet defined objectives.
An inadequate information supply will lead to substandard products and services, which cannot be used to meet the objectives and which will threaten the survival of the organization.
Adequate Information Security is an important condition for having an adequate information supply.
The external significance of Information Security is therefore determined in part by the internal significance.
Security can provide significant added value to an information system.
Effective security contributes to the continuity of the organization and helps to meet its objectives. Process Organizations and their information systems change.
Checklists such as the Code of Practice for Information Security Management are static and insufficiently address rapid changes in IT.
For this reason, Security Management activities must be reviewed continuously to ensure their effectiveness.
Security Management amounts to a never-ending cycle of plan, do, check, and act.
The activities undertaken by Security Management, or undertaken in other processes under the control of Security Management are discussed below.
The security section of the Service Level Agreement defines these requirements in terms of the security services and the level of security to be provided. — Activities Control – Information Security policy and organization The Control activity is the first activity of Security Management and relates to the organization and management of the process.
This includes the Information Security management framework.
This framework describes the sub processes: the definition of security plans, their implementation, evaluation of the implementation, and incorporation of the evaluation in the annual security plans (action plans).
The reports provided to the customer, via Service Level Management, are also addressed.
This activity defines the sub processes, security functions, and roles and responsibilities.
It also describes the organizational structure, reporting arrangements, and line of control (who instructs who, who does what, how is the implementation reported). Policy Policy development and implementation, links with other policies. Objectives, general principles and significance. Description of the sub processes. Allocating functions and responsibilities for sub processes. Links with other ITIL processes and their management. General responsibility of personnel. Dealing with security incidents. Information Security organization Management framework. Management structure (organizational structure). Allocation of responsibilities in greater detail. Setting up an Information Security Steering Committee. Information Security coordination. Agreeing tools (EG
For risk analysis and improving awareness). Description of the IT facilities authorization process, in consultation with the customer. Specialist advice. Cooperation between organizations, internal and external communications. Independent EDP audit. Security principles for access by third parties. — The Evaluation activity Reports about the sub process as such. Results of audits, reviews, and internal assessments. Warnings, identification of new threats. Specific reports To report on security incidents defined in the SLA, the service provider must have a direct channel of communication to a customer representative (possibly the Corporate Information Security Officer) through the Service Level Manager, Incident Manager or Security Manager.
A procedure should also be defined for communication in special circumstances. Apart from the exception in the event of special circumstances, reports are communicated through Service Level Management. Relationships with other processes Security Management has links with the other ITIL processes.
This is because the other processes undertake security-related activities.
These activities are carried out in the normal way, under the responsibility of the relevant process and process manager.
However, Security Management gives instructions about the structure of the security-related activities to the other processes.
Normally, these agreements are defined after consultation between the Security Manager and the other process managers. Service Asset & Configuration Management In the context of Information Security, Configuration Management is primarily relevant because it can classify Configuration Items.
This classification links the CI with specified security measures or procedures. The classification of a CI indicates its required confidentiality, integrity and availability.
This classification is based on the security requirements of the SLA.
The customer of the IT organization determines the classification, as only the customer can decide how important the information or information systems are to the business processes.
The customer bases the classification on an analysis of the extent to which the business processes depend on the information systems and the information.
The IT organization then associates the classification with the relevant CIs.
The IT organization must also implement this set of security measures for each classification level.
These sets of measures can be described in procedures.
Example: ‘Procedure for handling storage media with personal data’.
The SLA can define the sets of security measures for each classification level.
The classification system should always be tailored to the customer’s organization.
However, to simplify management it is advisable to aim for one unified classification system, even when the IT organization has more than one customer. In summary, classification is a key issue.
The CMDB should indicate the classification of each CI.
This classification links the CI with the relevant set of security measures or procedure. Incident Management Incident Management is an important process for reporting security incidents.
Depending on the nature of the incident, security incidents may be covered by a different procedure than other Incidents.
It is therefore essential that Incident Management recognise security incidents as such.
Any Incident, which may interfere with achieving the SLA security requirements, is classified as a security incident.
It is useful to include a description in the SLA of the type of Incidents to be considered as security incidents.
An Incident that interferes with achieving the basic internal security level (baseline) is also always classified as a security incident.
Incidents reports are generated not only by users, but also by the management process, possibly on the basis of alarms or audit data from the systems.
It is clearly essential that Incident Management recognise all security incidents.
This is to ensure that the appropriate procedures are initiated for dealing with security incidents.
It is advisable to include the procedures for different types of security incidents in the SLA plans and to practice the procedure.
It is also advisable to agree a procedure for communicating about security incidents.
It is not unusual for panic to be created by rumours blown out of proportion. Similarly, it is not unusual for damage to result from a failure to communicate in time about security incidents.
It is advisable to route all external communications related to security incidents through the Security Manager. Problem Management Problem Management is responsible for identifying and solving structural security failings.
A Problem may also introduce a security risk.
In that case, Problem Management must involve Security Management in resolving the Problem.
Finally, the solution or workaround for a Problem or Known Error must always be checked to ensure that it does not introduce new security problems.
This verification should be based on compliance with the SLA and internal security requirements. Change Management Change Management activities are often closely associated with security because Change Management and Security Management are interdependent.
If an acceptable security level has been achieved and is managed by the Change Management process, then it can be ensured that this level of security will also be provided after Changes.
There are a number of standard operations to ensure that this security level is maintained.
Each RFCs is associated with a number of parameters, which govern the acceptance procedure.
The urgency and impact parameters can be supplemented by a security parameter.
If RFCs can have a significant impact on Information Security then more extensive acceptance tests and procedures will be required. ?The RFCs should also include a proposal for dealing with security issues.
Again, this should be based on the SLA requirements and the basic level of internal security required by the IT organization.
Thus, the proposal will include a set of security measures, based on the Code of Practice. Preferably, the Security Manager (and possibly also the customer’s Security Officer) should be a member of the Change Advisory Board (CAB). — Security Management provides input and support to Service Level Management for activities 1 – 3.
Security Management carries out activities 4 and 5.
Security Management and other processes provide input for activity 6.
The Service Level Manager and the Security Manager decide in consultation that actually undertakes the activities. When defining an SLA it is normally assumed that there is a general basic level of security (baseline).
Additional security requirements of the customer should be clearly defined in the SLA. Availability Management Availability Management addresses the technical availability of IT components in relation to the availability of the service.
The quality of availability is assured by continuity, maintainability and resilience.
Availability Management is the most important process related to availability.
As many security measures benefit both availability and the security aspects confidentiality and integrity, effective coordination of the measures between Availability Management, IT Service Continuity Management, and Security Management is essential. Capacity Management Capacity Management is responsible for the best possible use of IT resources, as agreed with the customer.
The performance requirements are based on the qualitative and quantitative standards defined by Service Level Management.
Almost all Capacity Management activities affect availability and therefore also Security Management. IT Service Continuity Management IT Service Continuity Management ensures that the impact of any contingencies is limited to the level agreed with the customer.
Contingencies need not necessarily turn into disasters.
The major activities are defining, maintaining, implementing, and testing the contingency plan, and taking preventive action.
Because of the security aspects, there are ties with Security Management.
On the other hand, failure to fulfil the basic security requirements may be considered itself as a contingency. Security section of the Service Level Agreement The Service Level Agreement (SLA) defines the agreements with the customer.
The Service Level Management process is responsible for the SLA.
The SLA is the most important driver for all ITIL processes.
The IT organization indicates to what extent the requirements of the SLA are achieved, including security requirements.
The security elements addressed in the SLA should correspond to the security needs of the customer.
The customer should identify the significance of all business processes.
These business processes depend on IT services, and therefore on the IT organization.
The customer determines the security requirements on the basis of a risk analysis.
The security elements are discussed between the representative of the customer and the representative of the service provider.
The service provider compares the customer’s Service Level Requirements with their own Service Catalogue, which describes their standard security measures (the Security Baseline).
The customer may have additional requirements.
The customer and provider compare the Service Level Requirements and the Service Catalogue.
The security section of the SLA can address issues such as the general Information Security policy, a list of authorized personnel, asset protection procedures, restrictions on copying data, etc. The Security section of the Operational Level Agreement The Operational Level Agreement is another important document.
It describes the services provided by the service provider.
The provider must associate these agreements with responsibilities within the organization.
The Service Catalogue gives a general description of the services.
The Operational Level Agreement translates these and general descriptions into all services and their components, and the way in which the agreements about the service levels are assured within the organization. Example: the Service Catalogue refers to ‘managing authorisations per user and per individual’.
The Operational Level Agreements details this for all relevant services provided by the IT organization.
In this way, the implementation of the measure is defined for the departments providing UNIX, VMS, NT, Oracle services, etc.
Where possible, the customer’s Service Level Requirements are interpreted in terms of the provider’s Service Catalogue, and additional agreements are concluded where necessary.
Such additional measurements exceed the standard security level.
When drafting the SLA, measurable Key Performance Indicators (KPI) and criteria must also be agreed for Security Management.
KPIs are measurable parameters (metrics), and performance criteria are set at achievable levels.
In some cases it will be difficult to agree on measurable security parameters.
This is easier for availability, which can generally be expressed numerically.
However, this is much more difficult for integrity and confidentiality.
For this reason, the security section of the SLA normally describes the required measures in abstract terms.
The Code of Practice for Information Security Management is used as a basic set of security measures.
The SLA also describes how performance is measured.
The IT organization (service provider) must regularly provide reports to the user organization (customer). Process control Critical success factors and performance indicators The critical success factors are: Full management commitment and involvement. User involvement when developing the process. Clear and separated responsibilities. The Security Management performance indicators correspond with the Service Level Management performance indicators, in so far as these relate to security issues covered by the SLA. Functions and roles In small IT organizations, one person may manage several processes.
While in large organizations, several persons will be working on one process, such as Security Management.
In this case there is normally one person appointed as Security Manager.
The Security Manager is responsible for the effective operation of the Security Management process.
Their counterpart in the customer’s organization is the Information Security Officer, or Corporate Information Security Officer. Points of Attention and costs As with any process there are areas that could undermine the successful implementation.
The following section details some of the areas that must be covered to make the process implementation worthwhile. — To develop and promote Industry Best Practice in service management To engender greater professionalism within service management personnel To provide a vehicle for helping members improving their service performance To provide members with a relevant forum in which to exchange information and share experience with their peers on both sides of the industry Membership itSMF members are drawn from across industry, commerce and public sector.
Most members represent “user” organisations that are responsible for delivering quality IT services to their customers and the remainder represent the leading IT service and product providers.
Many of the leading blue chip companies are to be found amongst the user membership. Globally, the itSMF now boasts thousands of individual and corporate members. ANECDOTE ITIL is used by an ever increasing number of organizations to meet the growing demand on the IT service infrastructure.
These are some of the benefits of implementing ITIL processes. ITIL’s most significant benefit is that it shows you what to do in terms of improving IT operations – and how to do it.
Now is an opportune time to apply the lifecycle principles to your environment and ensure that the service ethos of continual service improvement is an integral part of business as usual. ?Plus, with ITIL now as a base for an international quality standard (ISO/IEC 20000), your organization can receive independent verification of IT Service Management excellence.
Among the many benefits, this standard provides organizations with a competitive edge in the RFP process and can be instrumental in audit preparation. Research confirms the benefits of the Version 3 ITIL approach which: Establishes the integration of business strategy with IT service strategy. Enables agile service design and a ROI blueprint. Provides transition models that are fit for purpose in a variety of innovations. Demystifies the management of service providers and sourcing models. Improves the ease of implementing and managing services for dynamic, high risk volatile and rapidly changing business needs. Improves the measurement demonstration of value. Identifies the triggers for improvement and change anywhere in the service lifecycle. Addresses the current gaps and deficiencies in ITIL today.
Read more about ITIL Processes : When provided with the course material the itSMF booklet provides….: